FBI’s Advice on Ransomware? Just Pay The Ransom.

FBI Boston’s Joseph Bonavolonta said that paying the ransom is often the easiest path out of ransomware infections.

In-brief: The nation’s top law enforcement agency is warning companies that they may not be able to get their data back from cyber criminals who use Cryptolocker, Cryptowall and other malware without paying a ransom.

The FBI wants companies to know that the Bureau is there for them if they are hacked. But if that hack involves Cryptolocker, Cryptowall or other forms of ransomware, the nation’s top law enforcement agency is warning companies that they may not be able to get their data back without paying a ransom.

“The ransomware is that good,” said Joseph Bonavolonta, the Assistant Special Agent in Charge of the FBI’s CYBER and Counterintelligence Program in its Boston office. “To be honest, we often advise people just to pay the ransom.”

Bonavolonta was addressing a gathering of business and technology leaders at the Cyber Security Summit 2015 on Wednesday at Boston’s Back Bay Events Center. He was referring to ransomware programs like Cryptolocker, Cryptowall, Reveton and other malicious programs that encrypt the contents of a victim’s hard drive, as well as other directories accessible from the infected system. The owner is then asked to pay a ransom – often hundreds of dollars – for the key to unencrypt the data.

FBI Boston’s Joseph Bonavolonta address the Cyber Security Summit on October 21st. Bonavolonta said that paying the ransom is often the easiest path out of ransomware infections. (Photo courtesy of FBI.)

The FBI issued a notice in June, which identified CryptoWall as the most common form of ransomware affecting individuals and businesses in the US. The Bureau said it had received 992 complaints related to CryptoWall between April 2014 and June 2015 with losses totaling $18 million. That message advised victims of ransomware to contact their local FBI field office.

Bonavolonta echoed that advice in his remarks on Wednesday, but also cautioned that the Bureau may not be able to pry encrypted data from the clutches of the ransomware authors, who use ultra secure encryption algorithms to lock up ransomed data.

“The easiest thing may be to just pay the ransom,”Bonavolonta, who said that efforts by the Bureau and others to defeat the encryption used by the malware did not bear fruit. “The amount of money made by these criminals is enormous and that’s because the overwhelming majority of institutions just pay the ransom.”

The success of the ransomware ends up benefitting victims: because so many people pay, the malware authors are less inclined to wring excess profit out of any single victim, keeping ransoms low. And most ransomware scammers are good to their word, Bonavolonta said. “You do get your access back.”

Still, the Boston head of cyber said that organizations that have procedures in place for regularly backing up their data can avoid paying a ransom at all, by simply restoring the infected system to a state prior to the infection.

And the FBI still wants to hear about ransomware infections, even from firms that pay the criminals off. “Do we want you to call the FBI? Yes,” said Bonavolonta. The FBI has been collecting information on ransomware scams and wants to be able to keep abreast of how the scams are evolving.

Hey Patrick. I changed the headline to read “ransomware,” as that’s what the Special Agent was generally referring to. That said: his talk did mention Cryptolocker and not Cryptowall – though he also referred to “ransomware” as if it was a species of malware, rather than a genus. In any case – I hope this helps.

Alex, are you sure that it wasn’t cryptowall 3.0 (I dealt with it myself last June, fortunately made a full recovery between shadow-copies and backups with only a weekend of downtime). Cryptolocker has been down for a long time, most new infections of cryptolocker have been fakes.

What is the BS FBI reco to pay? I don’t get it? Are are they profiting? This is less than early 2013 spread and easier to fix, why pay? Information not being shared amonst Corporate and Feds. Same Feds and Feds. So, little gets it again.

Yes – and the Special Agent made that point. Frequent backups make getting rid of an infection much easier vs. trying to ‘break their encryption’ which is basically impossible. Preventing infection, also, is increasingly impossible with the use of drive by downloads via malvertising, etc.

I would tend to think that the FBI’s chief recommendation would be to keep regular back ups. The title of the article makes it seem like the FBI thinks paying the ransom under most circumstances is advisable. They probably see it as a last resort, not a chief recomendation. If that is the case then the title is a little sensationalist and misleading. You are not providing a service with this article posed like this. You didn’t even mention back-ups in your article when that is the number one form of mitigation.

Untrue. From the article: “Still, the Boston head of cyber said that organizations that have procedures in place for regularly backing up their data can avoid paying a ransom at all, by simply restoring the infected system to a state prior to the infection.” And, speaking as the person who heard the presentation, the message was not “backups first and ransom as a last resort.” The message was: “often we’re telling people who come to us hoping to get their data back that the best option is to pay the ransom.” Obviously, these are folks who do not have a restore as an option. I can only report on what the guy said. Its not my job as a reporter to tidy up the FBI’s image.

Didn’t want to state the obvious. Just thought publicly we don’t negotiate with terrorist. And paying them doesn’t mean the deal is done nor data has been copied onto their storage already? The government needs to work with IEEE, Bandwidth Providers, Cell Tower building and management companies to setup rules and guidelines on the gateway, router, FW, switch, modem and tower level. BYOD in Corporate and your environment will NEVER be under control until a major Federal Sensitive Database is brought to it’s knees. Ineviteable. I tested the first WiFi ISA cards before IEEE had standards. I saw this coming in 1999. 2004 I built the first fleet of Tablets with Windows XP Embedded. Then I said this will be the norm some day made by everyone and there is a Cyber catastrophic event in the next decade. I blogged and time-stamped it Christmas day 2004 and still on the net. Congress, DOD, NSA, HOMELAND,FBI,White House, & Pentagon need to rid the entire Federal Sector from BYOD PERIOD or God only knows what will happen but its probably not imaginable to our Engineers in the Security Field. The committees in DC are just not right for recommendations and Cyber Defense Appellations. It has to go to the best Hqcker groups we have. And I mean Ethical Ones. Ones who learned Reverse Malware Engineering.

Every time someone uses the word ‘terrorist’ to describe any sort of run of the mill crime, cyber or not, done to an individual — one that isn’t personally targeted and harassing, anyway — I want to smack them upside the head. It does nobody any favors other than those who’d seek to take advantage of outsized fear.

Please learn restraint and respect. It’s disrespectful to those who have actually been in the midst of an actual terrorist event, and it’s disrespectful and abusive of a populace that is too easily swayed to lose their freedoms just because someone uses words like ‘terrorist’ to describe something like a cyberlocker — or any other crime that is impersonal and seemingly financially motivated. Crimes are crimes. Terrorism is harder to define, but crimes aren’t, by definition, terrorism. Thanks.

Drive by downloads can be mitigated by keeping computers updates (specifically Adobe Flash and Java). Creating an application whitelist is also effective, though time consuming to setup and maintain (a properly configured whitelist will prevent most crypto variants from running).

We use FreeBSD with ZFS in all our servers with snapshots every 4 hours, and webservers or anything in php or java running into another zfs FS and using jails.
The windows servers ,without any anti-virus, runs on virtualbox (that is in the zfs snapshot too).
There is NO root passwords and access is done only using ssh trusted notebooks running UNIX
disks are mirrored and the servers are in a clean room. and login into the server is possible only in the console and boot single user, besides, you need to know the pen-drive password too (to open the geli)

The servers HD have high cryptography (geli) in the disks and boot is done using a protect password pen-drive

The FBI is lazy. Don’t pay it. Just back up yourself up. Buy an external hard drive. There is nothing on my computer that is of real importance to me. Paying the ransom is encouraging the hackers. I’m surprised the FBI would say that. I guess they don’t have the man power to deal with it.

Chances are if they’re cryptowalling your device they’re also stealing all of your credentials. Just bear that in mind — a backup’s nice, but if you have anything personal, private, bank info, anything at all — you’re missing the point. Then there’s also the other scam — snag the address book, say you’re stranded somewhere, and have them send ‘you’ money. Or they can just use a phone exploit and run systematically through your phone book going after everyone in it to eventually or immediately possess your friends’ devices too.

The point being, this isn’t just a backup issue. You shouldn’t be keeping anything important on your phone, period, in the first place. And I certainly wouldn’t be connecting that device to your machine without doing a full cache, data, device wipe and reset, too — just to be cautious.

Treat it like any PII theft: assume all your accounts have been hacked and accessed — email, everything. Don’t just assume you can’t access the data. And don’t just assume if you unlock the data that the problem goes away.

PS: I’d also completely reinstall the OS, not just do a device reset — with an up to date image. Assuming it’s available (and with android it often isn’t, which means if it could be exploited to get where it got, chances are it can be exploited again — so I’d look into ways to lock that down and finding out how you got hacked in the first place).

I think this is good advice, Walter. I’ll note however, that the ASAC Bonavolonta was asked about follow-on attacks (reinfection as well as id theft) and downplayed the risk during his Boston talk – suggesting that it was really about getting the ransom $$. I thought that was a bit of a sour note. Like you, I’d assume that anyone using cryptomalware in a scheme is smart enough to do some credential harvesting and data theft prior to brining the hammer down.

In theory, it’s probably pretty easy once a cybercriminal has your IMEI/IMSI, tower info, GPS, etc, to just keep reinfecting you, especially with the android ‘own it all’ stuff that was put out this past year by a certain security company (stagefright et al). Which is to say, if you’ve been owned, especially by an MMS, not just installing a hacked app, and you pay a ransom, you’ve also indicated you’re easy to relocate, and easy to sucker into paying again — or just infecting via the latter vector even if you were infected initially by the app vector. Honestly I don’t think we’ve seen a lot of repeated harassment, and I think it’s a mistake to believe most cybercriminals would go the repeat route (for one thing, that’d bring a whole lot more attention to them, for another, a lot of the locker crimes seem to be largely passive and not aggressive so far). It’s like picking up a call when a telemarketer gives a ring — you’re added to a list of potential victims (just like replying to spam), though: one has to bear in mind that it does mean you’ve suggested you’re willing to pay.

Going to avoid getting into the politics of this; I’ve seen too many FBI statements take the opposite tact, and while I’m not fond of the advice, I’d rather calm than ‘the sky is falling’ considering there isn’t much the FBI can exactly do about it anyway that they’re probably not already at least considering technically.

Pingback: The FBI recommends that you pay up if hackers infect your computer with ransomware

Pingback: The FBI says you may need to pay up if hackers infect your computer with ransomware

True, John. But an individual organization confronted with the choice of “get your data back, or don’t” can’t really afford to be altruistic and will likely take their chances. Agent Bonavolonta did make a point of saying that the criminals are usually good to their word and deliver the decryption key. There’s obviously a market interest in doing so – scamming people by taking money and not giving access back will backfire because future victims will get wind of that and opt not to waste their money. If this is a “business” – albeit an illegal one – you want to provide the (extortive) service you’re charging for. That was part of the agent’s message.

If the first part of your statement is true then the second part of your statement is (probably) true, also. But I haven’t seen any conclusive evidence that the first part of your statement is true some of the time, all of the time, none of the time. If you have it, please share!

Did the FBI say what % of the time you’d get your data back if you pay? My files were encrypted by something that appears to be Cryptowall,but possibly of a different “species”. I’m not sure if it’s the same criminals or some other spin-off.

I totally agree with Paul the author in that when you lose your data, sorry, you’re not thinking about how a few hundred $$ is going to MAYBE fund some terrorists. You’re thinking about increasing the chances of getting your important files back. PERIOD.

Paul – in journalism school, do they teach you about context? You completely mis-characterized what was actually said, to generate page views. I say that, because noone could accidentally take those statements so far out of context, unless it was intentional. That’s called site whoring.

Excuse me? Were you at the event Jorge? If anything, I omitted comments that would be even more inflammatory, Jorge. And this wasn’t a throw away comment or aside. This was a flat out statement by the agent that paying ransom in cases of ransomware was often the easiest resolution to the issue, where no other technical means (restore from backup) are available. But the agent didn’t start talking about backups – he started talking about how often the easiest thing is just to pay the ransom. I can put you in touch with other attendees who will corroborate that, if you wish, and if there’s video of the session, I welcome it, as it will support my account of the talk. If you were there and somehow have another memory of the talk, feel free to call me and we can discuss offline. If you weren’t there, please stop trolling and impugning my character and my journalistic ethics.

What’s funny is how few people are actually discussing the issue at hand. And of course the journalist highlighted the most interesting part of the story, which also happens to be the most important part of the story. If you can’t implicitly determine that a backup should be used first(if available), then that’s a whole different problem. There is a solution to encrypting malware, but I’m pretty sure it doesn’t involve feigning confidence that criminals will just become uninterested and stop. Therefore, while telling people to pay may be promoting some activity, it is also the ethical thing to tell people who currently want their data back.

Yes. This is exactly the point: if you’re a business or individual who needs to get data back and doesn’t have a backup, you have few options. What the Boston FBI was saying, essentially, is that breaking the malware’s crypto isn’t one of them, so don’t count on it. That’s also a warning for companies that haven’t yet been hit to put the necessary protections in place so that you can recover from a crypto malware attack. Namely: frequent off site backups, user least privilege (so write privs to network directories only when absolutely necessary), etc.